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This paper presents an abstraction of Hoare logic to traced symmetric monoidal categories, a 
very general framework for the theory of systems. Our abstraction is based on a traced monoidal 
functor from an arbitrary traced monoidal category into the category of pre-orders and monotone 
relations. We give several examples of how our theory generalises usual Hoare logics (partial 
correctness of while programs, partial correctness of pointer programs), and provide some case 
studies on how it can be used to develop new Hoare logics (run-time analysis of while programs 
and stream circuits). 

Categories and Subject Descriptors: F.3.1 [Logics and Meanings of Programs]: Specifying 
and Verifying and Reasoning about Programs 

General Terms: Hoare logic, traced monoidal categories 

Additional Key Words and Phrases: Stream circuits 



1. INTRODUCTION 



^ ■ Under the general label of Hoare logic, the early work of Floyd [1967] and Hoare 

^sO \ [1969] on axiom systems for flowcharts and while programs has been applied to 

various other domains, such as recursive procedures [Apt 1981], pointer programs 
[Reynolds 2002], and higher-order languages [Berger et al. 2005]. Our goal in this 
paper is to identify a minimal structure supporting soundness and (relative) com- 
C^^ I pleteness results, in the manner of Cook's presentation for while programs [Cook 

1978]. This is achieved via an abstraction of Hoare logic to the theory of traced 
^— ^ I symmetric monoidal categories [Joyal et al. 1996], a very general framework for the 

theory of systems. 

Traced symmetric monoidal categories precisely capture the intrinsic structure of 

both flowcharts and dynamical systems, namely: sequential and parallel 'compos- 

JH \ ability', and feedback (unbounded iteration). In fact, traced symmetric monoidal 

categories are closely related to Bainbridge's work [1976] on the duality between 

flowcharts and networks. The scope of traced symmetric monoidal categories, how- 
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ever, is much broader, being actively used, for instance, for modelling computation 
(e.g. [Simpson and Plotkin 2000]) and in connection with Girard's geometry of 
interaction (e.g. [Haghverdi and Scott 2005]). 

The main feature of Hoare logic is the use of assertions P, Q specifying the input- 
output behaviour of a program. If A is a program, then the triple {P} A {Q} states 
that on inputs satisfying P the program A^ if it terminates, will produce a result 
which satisfies property Q. An inherent ordering among assertions, given by the 
consequence relation, is also available, allowing for the properties of input/output 
to be refined or relaxed. In particular, if {P} A {Q} holds, and Q logically implies 
Q' , then we must also have that {P} A {Q'} holds. Abstractly, assertions can be 
viewed as objects of a pre-ordered set, with the logical implication as an instance 
of an ordering relation. The derived Hoare triple relation {•} A {•} can then be 
viewed as monotone binary relation between the points of the pre-order. 

More precisely, let 7i be the category of pre-ordered sets and monotone relations 
(see Section 3 for formal definition). We first identify a particular class of func- 
tors - which we call verification functors - between traced symmetric monoidal 
categories and subcategories of Ti. Wc then give an abstract definition of Hoare 
triples, parametrised by a verification functor, and prove a single soundness and 
completeness (in the sense of Cook) theorem for such triples. In the particular 
case of the traced symmetric monoidal category of while programs (respectively, 
pointer programs) this embedding gives us back Hoare's original logic [1969] (re- 
spectively, O'Hearn and Reynolds logic [2002]). In order to illustrate the generality 
of our framework, wc also derive new sound and complete Hoare-logic-like rules 
for the verification of running-time (and hence termination) of programs, and the 
verification of linear dynamical systems (modelled via stream circuits). 

The chief contributions of this paper are as follows: (i) The definition of the con- 
cept of a verification functor, between traced symmetric monoidal categories and 
the category Ti (Section 3). (ii) An abstraction of Hoare triples in terms of verifi- 
cation functors (Definition 3.3). In general, our abstraction of Hoare logic provides 
a 'categorical' recipe for the development of new (automatically) sound and com- 
plete Hoare-logic-like rules for any class of systems having the underlying structure 
of a traced symmetric monoidal category. Moreover, Hoare logic notions such as 
expressiveness conditions, relative completeness [Cook 1978] and loop invariants, 
have a clear cut correspondence to some of our abstract notions. (Hi) Sound and 
complete rules for our abstract notion of Hoare triples, over a fixed verification 
functor (Theorem 3.4). (iv) Four concrete instances of our abstraction, namely: 
partial correctness of while programs, partial correctness of pointer programs (sep- 
aration logic) , run-time analysis of while programs, and stream circuits (Section 4) . 
In Section 6, we discuss the link between our work and other abstractions of Hoare 
logic. 

2. SYSTEMS IN THE ABSTRACT 

In this section wc describe an abstraction of "system" to be used in our abstrac- 
tion of the Floyd-Hoare logic [Floyd 1967; Hoare 1969]. Consider first the case of 
fiowcharts, or programming languages in general. The essential construct in this 
case is the unbounded iteration. For instance, in the Figure 1 we have depicted a 
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flowchart where the factorial of y is calculated on the variable x via an iterative 
process. As suggested in the picture, the iteration corresponds to a feedback loop 
from the (yes) branch of the boolean test, to the next step in the computation of 
the factorial. Note that the code inside the loop (x := xy;y := y — 1) can be seen 
as a local process which at each iteration is gearing the computation to achieve the 
desired result - the computation of the factorial of y. 

y > 1 



X :- 



(no) 



X := xy 



y-i 



(yes) 

— »n 



Fig. 1. Example of feedback for flowcharts 

Similarly, in the case of continuous (dynamical) systems, the feedback operation 
is essential for allowing the correction of minor errors and achieving stability. In 
Figure 2 we depict the control law diagram for a system consisting of a cart (mass 
m) attached to a wall via a spring (constant k) being pulled away from the wall via 
a force /. This diagrammatic expression of the differential equation mx + kx — f — 
might serve, for example, as the design for an analogue computer to simulate the 
mechanical system. Similarly to the example of while programs described above, 
in this case the spring acts inside the feedback loop (—k/m) as a controller, trying 
to keep the cart within a particular region. 
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Fig. 2. Example of feedback for dynamic systems 

As exemplified above, systems of very different kinds are in general often de- 
scribed via block diagrams, with a fixed block-diagram language C. Systems in C 
arc built from a set C^ of basic building blocks via sequential and parallel compo- 
sition, and feedback (see Figure 3). Let us adopt the convention of using A, B, C 
for the syntactic block diagrams. 

On closer inspection, one will notice that the main properties of the sequen- 
tial composition are captured by the basic structure of a category^. In order to 



^For the rest of this article we will assume some basic knowledge of category theory. For a 
readable introduction see [Mac Lane 1998]. Given a category S, we will denote its objects by 
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A 



B 



A 



B 





A 















Fig. 3. Block diagram constructors: sequential composition A; B, parallel compo- 
sition 9ar{A,B), and feedback Fb(^), respectively. 

capture also the intrinsic properties of the parallel composition Par(^, B) and feed- 
back Fb(j4), a particular class of categories has been singled out, so-called traced 
symmetric monoidal categories. 

Recall that a pair comprising a category S and a covariant bifunctor ® is called 
a monoidal category if for some particular object of S (the identity element of the 
monoid) ® satisfies the monoidal axioms of associativity and identity (for details, 
see [Mac Lane 1998, chapter 11]). A monoidal category is called symmetric if there 
exists a family of natural isomorphisms cx,y '■ X ®Y ^tY ® X satisfying the two 
braiding axioms plus the symmetry axiom cx.y ° cy.x = idxgy- In [Joyal et al. 
1996], the notion of traced symmetric monoidal category is introduced^, for short 
TMC. A symmetric monoidal category is traced if for any morphism f : X (^ Z —>■ 
Y (gi Z there exists a morphism Trxyif) : X ^ Y satisfying the trace axioms 
(see [Joyal et al. 1996] for details). We will normally omit the decoration in Tr^ y 
whenever it is clear over which objects the trace is being applied. Morphisms of 
a TMC can be represented diagrammatically as input-output boxes, so that, if 
f: X(E)Z-^Y^Z then Tr(/) : X ^ Y corresponds to a feedback over the 'wire' 
Z, as shown in Figure 4. In Sections 4 and 5 we will give the formal definition 
of TMCs based on disjoint union (flowcharts) and cartesian product (networks). 
Before that we define the necessary concepts for our abstract Hoare logic system. 



X 



Y 



X 


Tr(/) 


Y 




/ 





Fig. 4. Trace diagrammatically 

In our work, we are interested in traced monoidal categories which arise as the 
semantics of a syntactic block diagram language C. More precisely, for each block 
diagram language C we will consider (possibly different) semantic mappings |-] 



So and its morphisms by Sm- Composition between two morphisms will be denoted as usual by 
(go f) : X ^ Z,ii f : X ^Y a.nd g :Y ^ Z. 

^In fact, [Joyal et al. 1996] introduces the theory of traces for a more general class of monoidal 
categories, so-called balanced monoidal categories, of which symmetric monoidal categories are a 
special case. 



ACM Transactions on Computational Logic, Vol. V, No. N, Month 20YY. 



A General Framework for Sound and Complete Floyd-Hoare Logics • 5 

into particular traced monoidal categories S. We will use /, g, h for the semantic 
functions denoted by these block diagrams. We assume that the semantic mapping 
is compositional, i.e. 

IA;B] = IB] o 1^1 

|Par(Ai?)] = M^M 
IFb(A)] = TrsilAj). 

Note that the objects and morphisms in the range of such a semantic mapping form 
a sub-TMC of S and we can view £ as a typed language in which the types identify 
hom-sets in this sub-TMC and where the constructors combine the types of their 
operands as follows: 



Par(., 
Fb(.) 



(a -^ /3) X (/? ^ 7) ^ a ^ 7 

(a ^ /3) X (7 ^ (5) ^ (a (g) 7) -> (/3 (g) 6) 

(a 7) -> (/3 g) 7) ^ a ^ /3. 



3. ABSTRACT HOARE LOGIC 

Recall that a pre-order is a pair (X, <) consisting of a set X and a binary relation 
< on X which is reflexive and transitive. For instance, the set of formulas of a fixed 
first-order theory under the consequence relation (i.e. A^ B) forms a pre-order, or 
any set of sets under subset inclusion C . 

Let A be a while program, P, Q be assertions (formulas) over the program vari- 
ables of A, and {P} A {Q} denote the usual Hoare triple for while programs. The 
only property of the binary relation {•} A {•} which does not depend on the struc- 
ture of A, and hence is intrinsic to the Hoare triples themselves, is the monotonicity 
stated in the consequence rule: 

if {P} A {Q} holds and P' ^ P and g ^ Q' then {P'} A {Q'} also holds. 

The following definition captures this basic property of assertions and Hoare triples. 
When r is a binary relation we write x ry as a shorthand for (x, y) G r. 

Definition 3.1 Hoare category. A relation r : X x Y between two pre-ordered 
sets X, Y is called monotone ii P rQ and P' Qx P and Q Cy Q' implies P' r Q' . 
Let H denote the category of pre-ordered sets and monotone relations. We call H 
the Hoare category. 

It is easy to see that 7i can be considered a symmetric monoidal category, with 
the monoidal operation as cartesian product, since the cartesian product of two 
pre-ordered sets X, Y forms again a pre-ordered set with the order on X x Y 
defined coordinatewise, i.e., {x,y) C {x' ,y') iff x C x' and y C y'. It is also easily 
verified that the trace based on cartesian product (see Section 5) gives a trace on 
Ti, making it into a TMC. Given a block diagram language £, with its respective 
trace monoidal semantics, we define an abstract notion of Hoare logic using certain 
functors from the semantic domains into Ti.: 

Definition 3.2 (Verification functor). Let £ be a fixed block diagram language 
with semantics |-] : £ ^ 5. A mapping H : S ^ Ti is called a verification functor 
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Fig. 5. Block diagram language C, tr. mon. scmatic S, and Hoare category 7i. 

if it behaves like a strict traced monoidal functor on the image (a sub-TCM of S) 
of the semantic mapping |-] (see Figure 5). 

Let a verification functor H : S ^ Ji he fixed. Each object X E So corre- 
sponds to a pre-ordered set H{X), and each morphism f in S corresponds to a 
monotone relation H{f). Under the assumption that the semantic mapping |-] is 
compositional, the verification functor condition is equivalent to: 



(SCI) H{[A-B\)^H 



mA\) 



(SC2) H{[9^r{A,B)\) ^ H{[A\) x H{lB\) 
(SC3) i/([Fb(A)])=Tr«(H(|A])) 

for all block diagrams A, B in the block diagram language C. Relational equality 
will be needed for soundness and completeness of the corresponding Hoare logic. 
As we will see, if only soundness is required only relational inclusion is needed, i.e. 



(SI) H{{A;B\)^H 



H{{A\) 



(52) H{[P^r{A,B)\) D i/(|A]) x HUB]) 

(53) H([Fb(A)]) D TrH{H{lAj)) 

Definition 3.3 Abstract Hoare Triples. Let A be a concrete block diagram, whose 
meaning is a morphism |A] : X ^ Y inS. Moreover, let P E H{X) and Q E H{Y). 
Define abstract Hoare triples as 



{P}A{Q} ■= PH{{A\)Q 



(1) 



Although we use the same notation as the standard Hoare triple, it should be 
noted that the meaning of our abstract Hoare triple can only be given once the 
verification functor H is fixed. The usual Hoare logic meaning of if P holds before 
the execution of A then, if A terminates, Q holds afterwards will be one of the 
special cases of our general theory. See Sections 4 and 5 for other meanings of 

{P} f {Q}- 

Let a specific block diagram language be fixed, and let S be the traced monoidal 
category denoting the programs of the given language. Moreover, let iJ : 5 — > 7i be 
a fixed verification functor. We will denote by HL(£, |-], H) the set of rules shown 
in Figure 6, where the side conditions are: 



(t) Ae C' and P H 



Q 



(t) P' C P and g C Q' 
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{P} A {Q} 



(Ax) (t) 



{P) A {Q} 



{P'} A {Q'} 
{P]A{Q] {R}B{S} 



(Con) (t) 



{(P,i?)}Par(AS){(Q,5)} 



(Par) 



{P}A{Q} {Q}B{R} 
{P}A-B{R} 



(Seq) 



{{P,Q)}A{{R,Q)} 
{P} ?b{A) {R} 



(Fb) 



Fig. 6. The system HL(/:, |-], iJ) with {■} : C ^ S anA H : S ^ H. 

The formal system HL(/I, |-], iJ) should be viewed as a syntactic axiomatisa- 
tion^ of the ternary relation {P} A {Q}. The verification functor H gives the 
semantics of the Hoare triples (and rules). By soundness and completeness of the 
system HL(£, |-], H) we mean that syntax corresponds precisely to semantics, i.e. 
a syntactic Hoare triple {P} A {Q} is provable in HL(£, |-],iJ) if and only if 
P H(IA\) Q is true in H. 

Theorem 3.4 Soundness and completeness. The system HL(£, |-],i/) is 
sound and complete. 

Proof. Soundness is trivially true for the axioms. The consequence rule is sound 
by the monotonicity of the relation 7?(|j4]). Soundness of the composition rule also 
uses the fact that H respects composition, i.e. 

P H{[A;Bj) R ^ P HilB])oH{lAj) R. 

Soundness of the cartesian product rule uses that the functor H is monoidal, i.e. 



{P,Q)H{lA<S>Bj){R,S) ^ {P,Q)H{lAj)xH 



{R,S). 



For the soundness of the trace rule, assume (P, Q) H 



{R,Q}. By the definition 
of the trace on TC we have P Tr(_ff (|A])) R. Finally, by the fact that H is traced we 
have P -ff(|Fb(j4)]) R. We argue now about completeness. It is easy to verify that 
all true statements of the form {P} A {Q}, for basic diagrams A, are provable. It 
remains to show that if {P} A {Q} is true, for an arbitrary block diagram A, then 
there exists a premise of the corresponding rule (depending on the structure of A) 
which is also true. If {P} A; B {R} is true then, since H respects composition, 
there must exists a Q such that both 

PHilADQ and Q HUB]) R 



^Note that assertions P,Q,R could potentially be semantic objects (e.g. sets), which is harmless 
since the only structure required from assertions is the ability to form a pair (P, Q) out of two 
assertions P and Q. Moreover, the fact that logical axioms have a semantic side condition (f) is 
not too restrictive since this is only assumed for the basic block diagrams, and these are normally 
manageable computationally. 
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Identity 



Assignment 



X :— t 



Twist 



Join 



Conditional 




Fig. 7. Basic flowcharts. 

are true. If {(P, R)} A®B {{Q, S)} is true then so it is {P} A {Q} and {R} B {S}, 
by the fact that H is monoidal. Finally, if {P} Fb(yl) {R] is true, then so is 



(P, Q) H 



{R,Q), 



for some Q by the definition of a verification functor. □ 

The abstract proof of soundness and completeness presented above is both short 
and simple, using only the assumption of a verification functor and basic properties 
of the category 7i. As we will see, the laborious work is pushed into showing that 
_ff is a verification functor. That will be clear in Section 4.3, where we build a 
verification functor appropriate for while programs, using Cook's expressiveness 
condition [Cook 1978]. 

4. VERIFICATION FUNCTORS FOR FLOWCHARTS 

The traced monoidal categories that correspond to classical Hoare logics for imper- 
ative programs are based on the category of sets and relations with the monoidal 
structure arising from the disjoint union operator l+). We will write injj : Xi -^ 
Xo\i)Xi for the injections of the summands into a disjoint union. In this TMC, the 
trace of a relation f : X \i) Z ^ Y \i) Z is then defined as follows: 

X Tr(/) y ■= 3zo... Zn{\ni„x / inj^zo A . . . inj^Zi / inj^Zi+i ... A injiz„ / injgy) 

This trace based on disjoint union lets us view feedback loops as representing iter- 
ative processes. 

First we will consider systems (block diagrams) where disjoint union is used 
for the monoidal structure in the semantic domains. These are normally called 
"flowcharts" , and two instances of these are (refinements of) while programs and 
pointer programs. The instantiations will produce the original Hoare logic [Hoare 
1969], separation logic and a new Hoare logic for running time analysis. 

4.1 The programming language: flowcharts 

In the case of simple diagrammatic while programs the basic constructs of our 
language Cwc are shown in Figure 7. These can be put together via sequential 
composition, parallel composition and feedback, as shown in Figure 3. We will 
consider an extension Cpp of this programming language with pointers by adding 
the basic pointer programs shown in Figure 8. 
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Reference Dispose 

_». New cells I 



:=[t] 



[t]:^ 



X := new(t 




disp(t) 



Fig. 8. Basic pointer programs. 



4.2 The semantics 



The programs (flowcharts) which can be built as described in Section 4.1 can be 
given a denotation as follows. Let Store be the set mappings p : Var -^ Z assigning 
an integer value to each of the program variables Var — {x, y, . . .}. Let the objects 
of iSfc be the set (of sets) containing the empty set and Store, and closed under 
disjoint union, i.e. {0, Store, Store tt) Store, . . .}. Consider also the following family 
of functions between the objects of Swc'- 



Skip, id : Store 
id(p) ■= p 



Store 



Assignment, [x :— t) : Store -^ Store 
{x:^t){p):={p)[tp/x] 



Joining, A : Store l+l Store 
A(injj(p)) -^ P 

Twist, c : Store tt) Store 
twist((w,p)) := {v,p) 



Store 



Store ttl Store 



Forking, Vb : Store — 
^^(^) - 1 inj,(p) 



Store y Store 
if -^bp 
otherwise 



The conditional forking (Vf,) and the assignment {x := t) are parametrised by 
functions b and t (intuitively, expressions) from Store to the boolean lattice B and 
Z, respectively, so that bp and tp denote their value on a given store p. We use injg 
and inj]^ for left and right injections into Store tt) Store. 

We then close the set of basic functions in Swc under sequential composition of 
functions, disjoint union of functions and the standard trace for disjoint union, to 
form the set of partial functions which arc the morphisms of Swc- It is easy to see 
that Src forms a TMC. 

In the case of pointer programs, we consider an adaptation Swc of the above 
TMC to a category of programs that manipulate both stores and heaps, which we 
will refer to as the traced symmetric nionoidal category of pointer programs Spp. 
Let State := Store x Heap, where Store is as above and Heap is the set of partial 
functions (from N to Z) with finite domain. Define also for any set X a new set 
Xs as X U {abort}. We view the elements of the heap as pairs consisting of a 
function /i : N ^ Z and a finite set d E 'Pfin(N) describing the valid domain of h. 
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We then form the set (of sets) of objects of Spp as the set containing the empty set 
and Statea, and closed under disjoint union but maintaining abort as a form of 
bottom element, i.e. {0, Statea, (State td State)a, . . .}. It is easy to check that Spp 
is also a TMC. Each of the basic functions of iSfc can be lifted to the extended 
type structure, by simply ignoring the 'heap' component, or by propagating abort 
when receiving an abort as input. The set of basic functions of Spp is an extension 
of the set of (the lifting of the) basic functions of iSfc with the following family of 
functions: 



-Look up, (x := [t]) : Statea -^ Statea 

ip[h{tp)/x],h,d) tp <E d 
abort otherwise 



{x:^[t]){p,h,d) 



-Mutation, {[t] := s) : Statea -^ Statea 

(M:=.)(p,;^,rf):^|(^''^[*''^^'']'^) '^^'^. 
^'- ' ^vfi I / 1^ abort otherwise 

-Allocation, x := new(t) : Statea -^ Statea 

(x := new(f))(p, h,d) := {p[x k^ i],h[i + j ^^ tj],d^ {i,. . . ,i + n}) 

-Deallocation, disp(t) : Statea -^ Statea 

{p,h,d\{tp}) tpEd 



{d\sp{t)){p,h,d) .- . , 4.U ■ 

\ r\ ,,\ri I I abof^ otherwise 

In order to make the allocation functional deterministic, we let i be the address 
location succeeding the maximum address already defined. 

As done in the case of flowcharts above, we can then close the set of basic functions 
under sequential composition, disjoint union and trace, to form the set of partial 
functions which are the morphisms of iSpp. We are assuming that the functions are 
strict with respect to abort, i.e. on the abort state all programs will return abort. 
The category Spp = (iSpp, ttJ,Tr), with the standard trace for disjoint union, forms 
another example of a TMC with the extra basic morphisms look up, mutation, 
allocation and deallocation. 

4.3 Hoare logic for partial correctness 

In this section we present a verification embedding of the TMC of flowcharts Spc. 
This will give us soundness and (relative) completeness of Hoare's original verifica- 
tion logic [Hoare 1969] for partial correctness (using forward reasoning). 

Let us now define the monoidal functor Hfc ■ Spc ^ W- Let a Cook-expressive"* 
first-order theory be fixed. On the objects X € Src we let Hpc{X) be a pre-ordered 
set of formulas. The ordering P CI i? on the elements of Hpci^) is taken to be 
P ^ i? in the fixed theory. We assume that pairs of formulas are also considered 
formulas, with the connectives defined pointwise. We now define the functor H^c 
on the image of the semantic embedding |-]. For each flowchart A we let iJ^cd^l) 
be the following monotone relation 



^Recall that a logic is Cook-expressive if for any program / and pre-condition P the strongest 
post-condition of / under P is expressible by a formula in C (cf. [Cook 1978]). 
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P gFc(M) Q ■= SPC(A, P)^Q 

where SPC{A, P) is a formula expressing the strongest post-condition of A under 
P. Such formula exists by our assumption that the theory is Cook-expressive. 
Moreover, note that the denotation of -ffFc([^]) , since it only depends on A via 
SPC(yl, •), does not depend on the particular syntax of A, but only on the input- 
output behaviour of A, i.e. |yl]. It is also easy to see what SPC is for the basic 
morphisms of Swc 

SPC(id,P) := P 

SPC{x ■.^t,P) := 3v{P[v/x]Ax::^t[v/x]) 

SPC{\7h,P) := (PA -6, PA 6) 

SPC(twist, (P,P)) := (P,P) 

SPC(A, (P,P}) := PWR 

The functor H is monoidal because a formula P describing a subset of Xq l±) Xi 
can be seen as a pair of formulas (Po,Pi) such that each Pi describes a subset of 
Xi, i.e. HfciX W Y) is isomorphic to Hfc{X) x H^ciX)- Similarly, there is a one- 
to-one correspondence between strongest post-condition transformer for a parallel 
composition of flowcharts f^g and pairs of predicate transformers H^cif) "^Hfcig)- 

We argue now in two steps that H^c is also a verification functor. The main task 
is to show that Hrc respects the trace structure, i.e. 

P Hrc{MUJ)) R ^ P MHrciJAj)) R. 

By the definition of trace on the H wc get 

P HwciMJAW R ^ 3Q{{P,Q) Hwc{lAj) {R,Q)) 

and by the definition of H^c above: 

SPC(Tr(IAl))(P) -^R ^ 3Q (SPC(|A])(P,Q) ^ (P,g)). 

The next lemma proves the left to right implication. The implication from right to 
left is proven in Theorem 4.2. 

Lemma 4.1 [Cook 1978]. Let A be a block diagram such that {Aj : X IS Z ^ 
yi±)Z. Assume z are all the program variables of A. Moreover, let P G Hy£{X) and 
R G HrciY) be fixed formulas. // SPC(Tr(|A]j, P) -^ R then SPC(|A], (P, Q)) -^ 
{R, Q) , for some formula Q. 

Proof. We construct a formula Q which is a fixed point for |A] on P, i.e. 

SPC(|A], (P, 0)) ^ (P', 0), for some formula R'. We also argue that 

SPC(Tr(IAl),P)^P'. 

By our hypothesis SPC(Tr(|A]), P) ^ P it then follows that R' implies R, as 
desired. The fixed point Q is essentially the strongest loop invariant, and is con- 
structed as follows. Given the block diagram A we build a new block diagram 
A' : X\i)Z^Y\i)Z\+iZ where the internal states of Z can be observed, even 
after the feedback is applied. Let A' := (id tt) '\/z=ij) o A (see Figure 9) where 
z is the finite sequence of variables mentioned in the description of A, and y is 
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A' Fb(A') 



X 


A 


Y 


X 


A 


Y 


z 

















Fig. 9. Cook's construction (forward reasoning) 
a fresh tuple of variables of same length. Notice that the program Fb 



X.YWZ 



[A') 

behaves almost as Fbxyi^) except that the block diagram Fb(j4') will 'termi- 
nate' earlier (meaning that the fixed point sequence is shorter) if the state z 
matches y. Let SPC(|Fb(A')], P) = {Qo,Qi{y))- It is easy to see that the for- 
mula Q = 3yQi{y) characterises the possible internal states z in any run of 
Fb(A) on an input satisfying P. In other words, Q is the least fixed point for 
Hfc(I^I) on P, SPC(|A], (P,Q)) ^ {R',Q), for some formula R' , which implies 
SPC(Tr(|A]),P)^P'. D 

Theorem 4.2. H^c : 5fc ^ 'H, as defined above, is a verification functor for 
morphisms arising from block diagrams in Cwc . 

Proof. By Lemma 4.1, it remains to be shown that whenever 

(z) SPC{lAl{P,Q))^{R,Q), 

for a formula Q, then SPC(Tr(|^]), P) -^ R. Assume (z) and SPC(Tr(|Al), P)(p), 
for some store value p. We must show R{p). By the definition of the strongest 
post-condition there exists a sequence of stores p', po, ■ ■ ■ ,Pn such that P(p') and 

(0, p') 1^ (1, po), . . . , (1, Pk) m (1, pfe+l), . . . , (1, pn) |A| (0, p). 

By a simple induction, using the assumption (i), we get that all pk satisfy Q and 
that p satisfies R, as desired. D 

Given the semantic embedding |-] : C^c -^ ^fc, the system HL(£fc, 1'1,-ffFc) 
obtained via our embedding Hfc is a refinement of the system given by Hoare 
[1969], i.e. Hoare's rules are derivable from ours. See, for instance, the case of the 
while loop rule in Figure 10, given that a while loop whileh(A) can be represented 
in Swc as Fb(A; V^; (id l±) A)). Moreover, the soundness and (relative) completeness 
of the Hoare logic rules for while programs follow easily from Theorems 3.4 and 4.2. 

4.4 Separation logic 

In the case of the extended fiowchart language Cpp (pointer programs) and its 
respective semantics, we can define a verification functor Hpp as follows. On the 
objects X S iSpp we let Hpp{X) be a pre-ordered set of formulas with enough 
primitives to describe the weakest pre-condition of programs, but without abort 
as an atomic formula (we want abort not to be expressible in the language). The 
ordering P C P on the elements of Hpp{X) is again taken to be P -^ P in the fixed 
theory. For each pointer program A we let i/pp(|A]) be the following monotone 
relation 
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(id £ 4) 
(V6 G 4) {P A -nb} id {P A -nb} {P A b} A {P} 



(Ae4) {P}\7b{{PA^b,PAb)} {{PA^b,PAb)}Par(\d,A){{PA^b,P)} 



{{P,P)}A{P} {P}Vfc;Par(id,^){(PA^b,P)} 

{(P, P)} A; V,; Par(id, A) {{P A ^b, P)} 

{P} Fb(A; Vb; Par(id, A)) {P A -6} 

(dcf) 

{P}whileb(A) {PA-b} 

Fig. 10. Derivation of Hoare's while loop rule in HL(£fc; ['Jj-ffFc) 

P HMJAj) Q := P^WPC(AQ) 

where WPC(A, P) is a formula expressing the weakest pre-condition of program 
A under post-condition Q. As in Reynolds [2002], well-specified programs do not 
abort, since formulas in Hpp{X) never hold true for abort. 

It has been shown in [O'Hearn et al. 2001; Reynolds 2002], that the weakest 
liberal pre-conditions for the new basic statements can be concisely expressed in 
separation logic as (see [Reynolds 2002] for notation) 

WPC(a; :== [t],P) := 3w'((t ^ v') * ((t ^ v') -* P[v'/x])) 

WPC([i] := s, P) ■= (t^-)* {{t ^ s) -* P) 

\NPC{x := new(t), P) := Vi((i ^ t) -* P[i/x]) 

WPC(disp(t),P) ■.= {t^-)*P 

Similarly to Lemma 4.1 and Theorem 4.2, one can show that the Hpp defined 
above is a verification functor. The system HL(i3pp, |-], Hpp), which we then obtain 
from our abstract approach is basically the one presented in Reynolds [2002], for 
global backward reasoning, using the logical theory of bunched implications as an 
'oracle' for the consequence rule. 

4.5 Hoare logic for running time analysis and termination 

Finally, we conclude this section with a new Hoare logic for running time analysis 
(and termination) of programs. For this we need a finer semantic model 5^ for the 
fiowchart programs. We need a model that distinguishes programs with different 
running time. Let us consider the identity operation and twist as neutral. We 
define the running time of a program to be the number of times non-neutral basic 
operations (e.g. assignment or conditional) are evaluated. Then two programs are 
identified if they have the same input-output behaviour and same running time on 
all terminating inputs. This gives rise to a refinement of the semantic model Swc 
which we will call 5^. 

Let N°° denote the usual pre-order of the natural numbers extended with oo 
as the top element, i.e. n < oo for all n S N. Arithmetic with cxd is done as 
usual, e.g. n + oo = oo. We want to use N as a counter for the number of steps 

ACM Transactions on Computational Logic, Vol. V, No. N, Month 20YY. 



14 • R. Arthan, U. Martin, E. A. Mathiesen and P. Oliva 



{Vb€C'o) {P}A{(b)?(P,Q) + l} 



{(6)?(P, Q) + 1} Vb {{P, Q)} {{P, Q)} Par(id, A) {{P, (&)?(P, Q) + 1)} 

{(6)?(fi Q) + 1} W: Par(id, A) {{P, (6)?(P, Q) + 1)} 

{((&)?(P, Q) + 1, (6)?(P, Q) + 1)} A; Vb; Par(id, A) {(P, (b)?(P, Q) + 1)} 

{(6)?(P, Q) + 1} Fb(A; V,; Par(id, A)) {P} 

{(b)?(P,Q) + l}whileb(A){P} 

Fig. 11. While loop rule for running time 

a program takes to terminate. Non-terminating executions are associated with oo 
which should be thought of as "infinite time". For any set S™(= S l+) . . . tt) S) the 
pre-order on N°° induces a pointwise prc-ordcr on the set of functions S™ -^ N°° . 
We take these pre-ordered sets {S™ -^ N°°}mGN as the objects of our category, 
with monotone relations between these as morphisms. This forms a subcategory of 
Ti. with cartesian product as the monoidal structure. 

Let P,Q be functions in S" -^ N°° and S™ -^ N°°, respectively. Note that P 
for instance can be viewed as an n-tuple (Pi, . . . , P„) of functions P^ : S ^ N°°. 
Given a flowchart A (assume |A] : S" -^ S™) we define the following functor 

P ggc(|Al) Q :=P>RRT(Ag) 

where RRT(yl, Q) : S" — > N°° calculates the relative running time oi A with respect 
to Q. Intuitively, if A does not terminate on input p then RRT {A, Q){p) = cx), 
otherwise RRT{A,Q){p) calculates RunT\rr\e{A, p) + (5(|yl](p)). This can be given 
for the basic programs as 

RRT(id,Q) := Q 

RRT(a; :=i,Q) := Q[t/x] + l 

RRT(Vb, (P,Q» := (6)?(P,0) + 1 

RRT(twist,(P,0)) := {Q,P) 

RRT(A,Q) := (Q + 1,0 + 1) 

As usual, in order to obtain a completeness result we assume that the language over 
which we are defining our pre- and post-conditions is rich enough to express RRT. 
Given that RRT(yl, 0)(p) = oo implies the program A does not terminate on input p, 
we can conclude that any expressive language will need to include non-computable 
functions. This is to be expected, since an expressive language where each function 
is computable would in this case allow us to solve the halting problem. It is easy 
to see, however, that extending a Turing complete language with an oracle for the 
halting problem is sufficient for obtaining an expressive language. 

As in Definition 3.3, the functor i/j^ gives rise to a Hoare triple {P} A {Q}. 
The relation {P} A {Q} holds if and only if on each input p such that P(p) ^ oo 
then Q ^ oo and ^ on p runs in time P(p) — (5(|A](p)) (this in particular implies 
that the program terminates). 
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Fig. 12. Cook's construction (backward reasoning) 



Theorem 4.3. H^ : 5^^ 



Ti as defined above is a verification functor. 



Proof. First of all, it is easy to check that H^^, indeed maps objects and nior- 
phisnis of Sf^ into pre-orders and monotone relations (objects and morphisms of 
H). H^f^ also trivially satisfies conditions (SCI) and (SC2), i.e. iJj^ is a monoidal 
functor. One direction of condition (SC3) is similar to the proof of Lemma 4.1. 
Given a flowchart A we construct a new flowchart A' (see Figure 12) in such way 
that RRT{fb{A'),R) gives us the (greatest) flxed point of A. The other direction 
of condition (SC3) is similar to the proof of Theorem 4.2. D 

Therefore, this gives rise to a Hoare logic system HL(£fc, I'L^fc) which can 
be used to prove upper bounds on the running time of a program. As a simple 
example, consider the program calculating the factorial of x described in Section 2 
(Figure 1): 

{Sy} X ■- xy {Sy - 1} {3y - 1} y — y - 1 {3y + 1} 



{3y + 2} X := 1 {3j/ + 1} 



{3j/} X — xy-y — y-l {3y + 1} 
{3y + 1} whilei,(2; — xy; y ■- y ~ 1) {3j/} 



{iy + 2} {x ■- 1); while6(a; := xy; y := y - 1) {iy} 
where 6 = (y > 1). Given that y = at the end, we have a proof of 

{3x - 1} (y := x); whileb(y := y - 1; x := xy) {0}, 
which gives an upper bound of 3a; — 1 steps on the running time of the program. 

5. VERIFICATION FUNCTORS FOR NETWORKS 

We will now apply our approach to Hoare logic to systems described by network 
diagrams that give a visual representation for sets of equations. An important 
motivating example is the notion of signal flow graph in control theory which forms 
the basis of systems such as Simulink. Network diagrams of this sort can be given 
several different formal semantics, e.g., in terms of differential equations or in terms 
of recurrence relations. 

To apply our approach to network diagrams, our starting point is again the 
category of sets and relations, but now using the monoidal structure given by the 
cartesian product. The cartesian trace, Tr(r), of a relation r : X x Z ^ Y x Z is 
deflned by: 

a; Tr(r) y := 3z{{x,z) r_{y,z)). 
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In a network diagram, r above will be thought of as the input-output relation of 
a subsystem, with z representing a control signal that is fed back from output to 
input to form the overall system. The input-output relation of the overall system is 
then the relation between X and Y determined by solving the system of equations 
denoted by r for the value of the control signal, z. 

Algebraic structure will be important to us. Fortunately, the cartesian trace 
gives rise to a wide range of interesting TMCs with nice algebraic properties. In 
the sequel, we will first show that the cartesian trace applies to many interesting 
categories of relations enjoying useful algebraic or other structure. We then present 
a diagrammatic language for stream circuits and give it a semantics in terms of an 
algebraic TMC iSgc of relations representing a formal abstraction of the differential 
equation semantics. We use a syntactic criterion to identify a useful class of "valid" 
circuits, whose semantic values are total functions. The subcategory formed by 
these circuits admits a verification functor and so this gives a a sound and complete 
Hoare logic for the valid circuits. 

5.1 Traced Monoidal Categories of Relations 

Let C be any concrete category, so that each object X of C has an associated 
underlying set (also written X by abuse of notation) and each C-morphism between 
C-objects X and F is a function from X to Y, morphisms being composed via 
functional composition. Let us assume that (i) set-theoretic finite products and 
equalizers^ also serve as finite products and equalizers in C, and (ii), if / is a 
C-morphism then the graph of /, as a subset oi X x Y, is the range of some 
C-morphism, i.e., there is a C-object U and a C-morphism u : U ^ X x Y, with 
Graph(/) = ran(u). These assumptions hold, for example, for any concrete category 
defined by a set of operations and equational laws, such as any of the usual algebraic 
categories: groups, vector spaces over a field, modules over a ring etc. In fact, for 
these categories, the converse of assumption (ii) holds: a function is a C-morphism 
iff its graph is the range of a C-morphism. Under these assumptions, define a C- 
relation between C-objects X and Y to be any relation, r, which is given, as a subset 
oi X xY , by the range of a C-morphism, i.e., r = ran(u), for some C-object U and 
C-morphism u -.U ^ X xY . Wc then define the category Rel(C) to have the same 
objects as C and to have as morphisms between X and Y the set of all C-rclations 
between X and Y , morphisms being composed by relational composition. 

Theorem 5.1. Under the above assumptions on the concrete category C , Rel(C) 
together with cartesian product and cartesian trace forms a TMC having C as a 
subcategory. If, moreover, a function is a C-morphism iff its graph is the range 
of some C-morphism, then this subcategory comprises precisely those relations in 
Rel(C) which are set-theoretic functions. 

Proof. Wc must first verify that Rel(C) actually is a category: by assumption (i) 
if X is any C-object, then the diagonal function S = x ^^ {x,x) is a C-morphism 



^Recall that in any category, an equalizer for two morphisms /, g : X — > Y is a universal arrow 

h ^'^ 

h : E ^ X making the horizontal composites in the diagram i? — > X I^ Y equal. In the 

category of sets, an equalizer of any two maps /, g : X — > Y is given by the inclusion of the subset 

{x : X \ f{x) = g(x)}, which we will call the equalizer of / and g. 
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from X to X X X and ran ((5) is the identity relation on X which is therefore a 
Rel(C)-morphism acting as a two-sided identity for relational composition. Given 
Rel(C)-morphisms r : X ^ Y and s : Y ^ Z, there arc C-objects U and V and 
C-morphisms u : U ^ X x Y and v : V ^ Y x Z with r — ran(w) and s = ran(f). 
Let us write ni : Xi x X2 -^ Xi for the projections of a binary product onto its 
factors and write iTij for the composite (tt^ ; ttj ) . Our data provide everything except 
the object E and the dotted morphisms in the following diagram. 

* UX V , ^ , ,7^12 

E ••• ^ U xV {X xY) x{Y X Z) r Y 

TTl X 7r2 



XxZ 

If we take i : E ^> U Xo ha the equalizer of the two horizontal composites from 
IJ xV XoY and \&t e : E -^ X x Z \ic the composite (i\u x v\t^\ x 1:2) then 
e is a C-morphism and ran(e) = (r\s). Thus Rel(C) has identities and is closed 
under relational composition and hence forms a category. It is easy to verify that 
the cartesian product makes Rel(C) into a symmetric monoidal category and, using 
assumption (ii)^ that C forms a subcategory, and that this subcategory coincides 
with the functional relations in Rel(C) under the stated condition. So it remains 
to show Rel(C) is closed under cartesian trace. So assume r: XxZ^>YxZ 
is a Rel(C)-morphism, so that there is a C-object \J and a C-morphism u : U ^ 
{X X Z) X (Y X Z) with r = ran(M). This gives everything except the object E and 
the dotted morphisms in the following diagram. 

i u ""la 

E ■■■ - U ► {X X Z) x{Y X Z) : Z 

71'22 
TTl X TTl 



X xY 

If we take i : E ^ U to he the equalizer of the two horizontal composites from U 
to Z and let e : E ^ X x Y he the composite (i; u; tti x tti) then Tr(r) = ran(e) so 
the cartesian trace is a Rel(C)-morphism and the proof is complete. □ 

As an aside, we note that this theorem offers an alternative to the partial traced 
monoidal categories that have been considered by several researchers, e.g., see 
[Haghvcrdi and Scott 2005]. Rather than a partial trace on C, it gives a total 
trace on Rel(C) which contains C as a subcategory. Specific examples of partial 
TMCs given by Haghverdi and Scott [2005] are the category of vector spaces and 
the category of complete metric spaces with non-expansive continuous functions 
as morphisms. Both these examples are covered by the above theorem and with- 
out the restriction to finite dimensions in the case of vector spaces. The theorem 
also applies to both Hilbert spaces and Banach spaces with bounded operators as 
morphisms and to compact Hausdorff topological spaces with continuous maps. 
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Scalar 
Identity , , Split 



>■ ax »• 



Integrator 



Twist 



Fig. 13. Basic stream circuits. 

Perhaps surprisingly, the dual of the construction in the above theorem also 
goes through using cocqualizers, coproducts and an appropriate notion of cograph. 
Constructions of this sort have been considered in connection with universal algebra, 
see [Hutchinson 1994] for details and references. 

5.2 The programming language: stream circuits 

In [Boulton et al. 2003], a Hoare logic was presented for the frequency analysis of 
linear control systems with feedback, modelled as linear differential equations, an 
approach which we generalised and systematised in [Arthan et al. 2007]. In the 
present paper, we will model linear differential equations as stream circuits (see 
[Rutten 2004]). With Theorem 5.1 in mind, this model fits nicely both with the 
algebraic viewpoint of [Arthan et al. 2007] and with the present framework. 

Our language of stream circuits comprises finite diagrams, made up from the 
basic circuits shown in Figure 13 (where a is a real number- valued parameter). 
New circuits are formed from old by connecting outputs (arrow heads) to inputs 
(arrow tails). An output of a circuit may be connected to an input of the same 
circuit, so we can create feedback loops. Following [Rutten 2004], we say circuit is 
valid if every closed path in the circuit passes through at least one integrator (or 
"register" in Rutten's terminology). 

5.3 The semantics 

In our semantics, stream circuits denote differential equations. As demonstrated in 
[Escardo and Pavlovic 1998], many computational aspects of mathematical analysis 
can be developed in a co-algebraic setting using infinite streams of real numbers, 
an analytic function / being modelled by the infinite stream [/(O), /'(O), /"(O), . . .] 
of its partial derivatives. For many purposes we may abstract away issues of con- 
vergence, and view infinite streams rather than functions as the main objects of 
interest. Following [Rutten 2004], we can then view a stream circuit as just a 
system of equations on streams: for example, the differential equation / = /', or 
equivalently / = (//) + c, corresponds to a stream equation / = c :: tl(/). 

To turn these ideas into a formal semantics for stream circuits, let E denote the 
set of streams of real numbers, i.e. all functions N ^ M. Let the objects of iSgc be 
the set containing the singleton set {s} and S, and closed under cartesian product, 
i.e. the objects are S^ = {e},Ei = S, E^ = S x E, . . . , E™, . . .. Consider the 
following basic morphisms between the objects of Ssc' 
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— Wire, id : S ^ S —Copy, c : S ^ S x S 

id((T) := (T c(cr) := (cr, cr) 

— Scalars, (ax) : S ^ E — Sum, (+) : S x S ^ E 

{ax){a) ■= [aao,aai,.. .] (+)(cr,cr') := [cto + cr'Q,ai +a[,. . .] 

— Integrator, R : S ^ S — Twist, t:SxS^SxS 

R(ct) := [0, CTo, CTi, . . .] t(cr, cr') := {cr' , a) 

The morphisms of Sgc a-re the relations obtained from the basic morphisms above 
viewed as relations (via their graph) and closing this set under relational composi- 
tion, cartesian product of relations, and the trace for the cartesian product. 



-e 



Tr(co(+)) Tr(((+) X id) o (id X c)) 

^m^ 



Fig. 14. Stream circuits not defining functions 



The diagrams in Figure 14 illustrate two stream circuits that define relations that 
are not total functions. In the circuit on the left there is no fixed point for the input 
stream CTq := [a, a, . . .] unless a = 0, so the circuit defines a partial function with 
domain {0}. On the other hand, in the circuit on the right any stream r is a fixed 
point of the trace, so that any input stream a is related to any output stream, so the 
circuit represents the "chaotic" relation E x S. The notion of valid circuit gives a 
syntactic criterion for avoiding this pathological behaviour: while Ssc is a category 
of relations that are partial and one-to-many in general, valid circuits denote total 
functions, i.e. a valid circuit denotes a system of equations whose solutions always 
exist and are unique (as we shall prove shortly). 

It is again easy to see that Ssc forms a symmetric monoidal category, with 
the monoidal structure of cartesian product. Finally, with the standard family of 
trace relations (defined in Section 2), Ssc forms a traced symmetric monoidal cat- 
egory. Ssc has several important subcategories obtained by restricting the sets of 
morphisms: 5|^ in which the morphisms are the total functional relations, and 
S^^ comprising the denotations of valid stream circuits. To understand these 
subcategories it is helpful to consider some additional algebraic structure. Let 
R ~ R[[x]] be the ring of formal power series with real coefficients, e.g., see Mac Lane 
and Birkhoff [1999], section VIII. 9. Thus elements of R are formal expressions 
/o + fix + f2X^ -I- ... -I- fmx"^ + ■ ■ ■ where the coefficients fi are real numbers. Note 
that a univariate polynomial, po +pix +p2x'^ + . . . +Pmx"^, over R may be viewed 
as a formal power series in which all but a finite number of the coefficients are zero. 
Formal power series are added by adding corresponding coefficients and multiplied 
using the convolution product (generalising multiplication of polynomials), i.e., if 
/ = /o + fix + . . . + fmX^" + . . . and g = go + 9ix + . . . + gmx"^ ■ ■ ., the coefficients 
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fdback(/) := Tr((c) o (+) o (id W /)) sum(/, g) := (+) o {g y /) o (c) 
c 



■*- 


"^ 


^^ 


1 






' 1 




Fig. 15. Feedback and summation in 5sc 
of the sum / + g and the product fg are given by: 

v./ I 9)m Jm I 9m 

i.f9)m = fo9m + ,/l.9m-l + • • • ,fm-1.9l + .fm.90 

Under these operations R forms a commutative ring with = + Oa; + . . . and 
1 = 1 + Oa; + . . .. If we identify a stream a with the formal power series ctq + 
aix^ -\- . . . -\- cF,nX"^ + . . ., then R acts on the objects of S^c by multiplication, i.e., 
for {^a^ . 



, "cr) e S" and / G R, we define: 

(V,...,V)/-(V/, 



,"<y.f) 



Under this action, the objects of iSsc become R- modules^. 

If / G R and /o ^ 0, then / has a multiplicative inverse /^^ whose coefficients 
are given recursively by 



(/-')o = 1/./0 



f2{.r')m-l+... + frn+l{f-')o)/fo 



as is readily checked. Clearly, any non-zero / G R may be written uniquely in the 
form / = x™g where g is invertible, m being the order of /, i.e., the smallest m 
such that fm J^ 0- It follows that the non-zero ideals of R are precisely the principal 
ideals generated by the powers of x, i.e., / ^ {0} is an ideal of R iff / = x™R for 
some TO. 

It is easy to check that the basic morphisms of Ssc are R-module homomor- 
phisms, so for example, if cr G S" and / G R, one has c{af) = c{a)f. Noting that 
the approach of [Arthan et al. 2007] generalises to R-modules^, we find that each 
morphism of Ssc is actually an additive relation, i.e., each morphism between ob- 
jects L and M of iSgc is a relation whose graph is a submodule of the product module 



Recall that the notion of _R-module is the generalisation to arbitrary rings of the notion of vector 
space over a field: an i?-inodule is an additive group M such that R acts on M as a ring of linear 
operators. I.e., writing x i— > xf for the action of / G i? on a; G M, one has {x + y)f = xf + yf, 
xl = X and x{fg) = (xf)g. R acts itself by right multiplication and so becomes an R-module 
whose subniodulos are called ideals, i.e., an ideal / is an additive subgroup of R such that, for any 
a £ R, la = {xa | a:: £ /} C /. See, e.g., [Mac Lane and Birkhoff 1999] chapter V for the basics of 
module theory. 

'^The only difficulty is with theorem 5.8 of [Arthan et al. 2007] where the proof in the published 
paper uses properties of bases to define relational inverse in terms of the feedback loop operator. 
However, a basis-free construction can be given: in the notation of [Arthan et al. 2007] , if r : V ^-> 
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L X M. Within Ssc, Sg^ comprises the subcategory of morphisms which happen to 
be total functions. In the terminology of Section 5.1, the methods of [Arthan et al. 
2007, section 5] show that Ssc is the category of iS|^-relations: Ssc = Rel(iS|^) 

Let us exploit this algebraic structure to investigate the cartesian trace applied 
to a functional morphism in Ssc- Using the vanishing law for the trace, the trace 
of a general morphism S™ x S'^ ^ S" x S*^ can be calculated by iterating the 
trace on morphisms E™ x E ^ S" x E, so it suffices to consider the case k = I. 
So let F : E™ x E ^ E" x E be a functional morphism, i.e., a homomorphism of 
R-modules. Just as with vector spaces, we can represent F as a 2 x 2 block matrix, 
i.e., there are unique R-module homomorphisms, A : S™ — > E", i? : E ^ E", 
C : E" ^ E and D : E -> E, such that {a, a)F = (/3, t) where: 

P = aA + crB 
T = aC + a-D 

D here is a 1 x 1 matrix, i.e., under the identification of E with R, D is given by 
multiplication by some element of R say D = (d). The following lemma says that 
under appropriate assumptions on d, the trace of i^ is a total function. The ideal / 
in the theorem may be thought of as a measure of the precision of an approximation 
a to the actual fixed point a' . For the simple existence of the fixed point, take J = R 
and pick an arbitrary a. 

Lemma 5.2. Assume F : E™ x E ^ E" x E is defined by {a, (t)F ~ {(i, t) where: 

(3 = aA + crB 

T = aC + a-D 

for some A : E" ^ E", B : E ^ E", C : E™ ^ E and D : E ^ E, where D is 
given by the 1x1 matrix (d) where d ^ R is either or has positive order, i.e., 
d — xf for some f G R. Let I be any ideal in R and assume (a,<j)F = {13, t) for 
some a, (3, a and r where a — t ^ I , then there exist unique j3' and a' such that 
(a, a')F — (/?', a') and then one has a' — a ^ I . 

Proof. For uniqueness, if /?' and a' satisfy 

(3' = aA + a'B 

a' = oiC + a'D 

then, as D = (d) and 1 — d is invcrtiblc, the second equation gives a' — aC I {1 — d) 
fixing <t' and then the first equation fixes (3'. For the existence, if / = {0}, then 
T = a and we may take /?' = /3 and a' = a, otherwise define sequences '"ct and '"t 
of elements of R as follows: 



V = a. 




°T = T = aC + "ad 


™+V = "t. 




'"+V = aC + ™+Vd 


W, r^^ is the composite: 








(0,1m/) : W ~*V xW; 


\oop{lv xwAvxW - 


-{tti 


r;{0,lw))) ■■ V xW *^V X 
TTi : V xW ^V 
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We claim that "ct — ™t G /d™ for each m. This is true by assumption for m = 0, 
so assume inductively that it holds for some m, we then have 



"+V - 


- "+ V ^ "r - (aC + ''\d) 




= ™t(1 -d)-aC 




= ™t(1 -d)- "V + "ad 




= ("cr - "V)d e (/d")d = /d^+i 



which proves the claim. Note that as d = xf for some non-zero /, "crfc = "^~^^(Tk 
for m > fc since we have ""+^(7 -"^a ^""t - "V e Id"' = //"x". It follows that 
if we put a'f. = '^^^o'fe, then a' — '"cr G /d™ for all m and if we put r' = aC + cr'Z) 
then a' —t' G /d™ for all m, but the intersection of the ideals Id™ is the zero ideal, 
so a' — t' = 0, i.e., a' — t' = aC + a'D; taking /?' = aA + a'B completes the proof. 
D 

Remark: the solution in the case where d = 0, can also be given directly as cr' — aC 
and/3' = a{A + CB). 

Theorem 5.3. Valid stream circuits denote total functions. 

By the lemma, it suffices to show that if a circuit denotes a function F : S™ x S -^ 
S" X E given by (a, a)F — (/?, r) where: 

T = aC + aD 

D — (d) being a 1 x 1 matrix, and if every path in the circuit from the second input 
component to the second output component passes through an integrator, then 
d = xf for some / G R. This is easy to verify by induction on the construction of 
the circuit, since passing a stream through an integrator corresponds to multiplying 
it by X. □ 



5.4 Hoare logic for stream circuits 

We will now construct a functor Hgc : Ssc ~^ W a-nd show that its restriction to valid 
circuits is a verification functor. Each object of Ssc has the form S™ = S x . . . x S 
for some m. We define Hgci^) to be the set of pairs (c, /) where cr G S and 
/ C S corresponds to an ideal in R under the identification of S with R. Hgc{T,) is 
ordered by defining (tr, /) C {t,J) iff ct + / C t + J. Hsci^"^) is then defined to 
be ifsc(S)™ which we may identify with the set of all pairs {a, L) where a G S™ 
and L is what we may call a coordinate submodule of S™, i.e., a submodule of the 
form Ii X I2 X . . . X Im where each Ik is an ideal of R under the identification of E 
with R. Note that the 77i-tuple {Ii, I2, ■ ■ ■ , Im) can be recovered from the product 
Ii X I2 X . . . X Im since the ideals Ij are non-empty sets. The product ordering on 
HscCS)"" corresponds to taking (a, L) C {l3,M) iSa + LC/S + M. Thus we let 
(a, L) correspond to the subset a + L oi S™ and think of a as an estimate of a 
value in E™ with L giving the precision of the estimate. So for example, {a, S™) 
represents the whole set, or a maximally imprecise estimate, while {a, 0) represents 
the singleton set {a}, or an exact estimate. 
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On the morphisms (semantic values of stream circuits) f : X ^ Y in SsCi we 
define the relation H§c{f) as follows, where {a, L) S Hsc{X) and {(3, M) e -ffsc(^)j 
and where {A)r denotes the image of the set A under the relation r. 

(a, L) Hscif) (/3, M):=a + LC dom(/) A (a + L)f C (3 + M 

We now show that Hsc as defined above yields a verification functor for valid 
circuits. 

Theorem 5.4. Hsc '■ <Sg^c ^ "H, as defined above, is a verification functor for 
valid circuits. 

Proof. That Hsc commutes with composition of morphisms is easy to verify, so Hsc 
is indeed a functor. By construction, Hsc{X xY) = Hsc{X) x Hsc{Y) (although in 
our notation we are identifying (E x PE)™ with a subset of (S™ x P(E'")), and one 
may check that i?sc(/ x ff) = Hgc(f) x Hgc{g) when and g are morphisms, so Hgc 
is a monoidal functor. It remains to show that Hsc commutes with the trace. As in 
Theorem 5.3, it suffices to consider traces of morphisms / : S™ x S ^ E" x E. So 
assume {a,L) -ffsc(Tr(/)) (/3, M), then by the definition of iJgc, a+L C dom(Tr(/)) 
and so in particular, a G dom(Tr(/)) which means that there is /?' G E" and ct e E, 
such that (a, a) f (/?', a). But then from the definition of Hsc we must have that 
/?' - /3 e M and that 

{{a,a),LxO) Hsc{f) {{l3,a),MxO) 
which means that ffsc(Tr(/)) C Tr(_ffsc(/))- Conversely, assume that 

{a,L) MHgc{f)) {P,M), 
so that there is a stream a and an ideal / such that 

i{{a,a),L X I) Hscif) {{f3,<j),M X I). 

Then {a, a) € dom(/), so that there are 7 and r such that {a, a) J — {j,t), where 
"f — (3 G M and a ~ t G I. Now, just as in Theorem 5.3 the assumption that 
the circuit is valid lets us apply Lemma 5.2 to give unique S and a' such that 
(a, (j')f = ((5, a') such that (5 - 7 e M and a' - a & I, but then also 5 - j3 & M 
and we may check that {a,L) HscJMf)) iP^M). Thus Tr(iJsc(/)) C HsciMf)) 
completing the proof. □ 

This gives rise to a sound and complete Hoare-logic system for reasoning about 
valid stream circuits. Notice that the rules are only sound for valid circuits. For 
instance, consider the circuit c o (+) : E — > E x E used to construct the example 
shown on the left of Figure 14. For any a, the triple {((a,0), ExE}} co(+) {(0, Ex 
E)} is valid, but the triple {(a, E)} Tr(c o (+)) {E} is only valid for a — 

Streams can be viewed as giving the Taylor expansions of analytic functions, in 
this particular example, the pre- and post-conditions in the Hoare logic correspond 
to partial sums for the Taylor expansions. A partial sum comprising n terms cor- 
responds to the specification a + Ex", where a is any stream with ai — Si for 
i — 0, . . . ,n — 1. We have thus obtained from our general categorical construction 
a sound and complete formal system HL(Z!, |-], i/gc), for reasoning about valid 
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((+) e Stc) 



{(s,i)}(+){s + t} {s + t}f{t} ((c)e5re) 

(Seq) 



{(5,i)}(+);/W {t} (c) {{t,t)} 

(Seq) 

{(s,t)}{+yj;{c){{t,t)} 

{s}M{+);f;{c)){t} /; ' 

(dcf) 

{s} fdback(f) {t} 

Fig. 16. Derivation of feedback rule in HL(£, |-], H) 

stream circuits and their input-output behaviour over classes of functions with a 
common partial Taylor sum. 

If the simple feedback circuit fdback(/) is defined in Ssc by Tr((-|-);/; (c)), we 
then have the following rule, whose derivation is given in Figure 16 and is very 
similar to the derivation of the rule for while loops (cf. Figure 10). 

{s + t}f{t} 



{s} fdback(f) {t} 

5.5 Hilbert Spaces 

We have already remarked that the constructions of Section 5.1 apply to the cat- 
egory of Hilbert spaces and bounded operators. This gives a TMC whose objects 
are Hilbert spaces and whose morphisms are relations whose graphs are complete 
subspaces of a product space. Restricting to a specific Hilbert space S and its 
finite products S™, analogues of all our results on stream circuits go through using 
closed discs, /i = {CT:E|||cr||<t}in place of ideals of R. The analogue of 5.2 
requires Z) to be a contraction mapping (||-D|| = sup^(||crI?||/||D||) < 1) and then 
the fixed point can be given as an analytic limit. For the lemma to serve its pur- 
pose, the hypothesis on the approximate fixed point needs to be slightly stronger 
than for stream circuits, but the assumptions available where the lemma is used in 
Theorem 5.4 are sufficient. 

The Hoare logic obtained in this way for systems where the semantic domains 
are Hilbert spaces way is interesting to compare with the Hoare logic for vector 
space semantics in general given in [Arthan et al. 2007]. In the general approach 
we do indeed get a very general Hoare logic but at the price of rules involving 
side-conditions that have a non-trivial semantic content. The approach for Hilbert 
spaces sketched here admits a much less general form of assertion and applies to 
a restricted category of spaces but those restrictions mean that it falls within the 
general framework of the present paper and yields rules that are much more satis- 
factory from a syntactic point of view. 

6. CONCLUSION AND RELATED WORK 

Several abstractions of the Floyd-Hoare logic can be found in the literature. In this 
final section we attempt to clarify the relation between the work presented here, 
and the previous work. Due to the vast amount of research in the area, we will 
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only cover, however, works that we beheve are closely related to ours. 

Kozen's [2000] Kleene Algebra with Test, KAT, consists essentially of a Kleene 
algebra with a Boolean subalgebra. In Kozen's work Hoare triples {P} A {Q} are 
modelled as equations PA — PAQ, using the multiplication available in KAT. The 
rules of Hoare logic are then obtained as consequences of the equational theory of 
KAT. Although our work is based on similar ideas (reducing Hoare triples to pre- 
order statements) there does not seem to be at the moment a clear cut connection 
between the two approaches. Whereas Kozen relies on the rich theory of KAT to 
derive the usual rules of Hoare logic, in our development we use a minimal theory 
of pre-ordered sets for obtaining soundness and completeness. 

Kozen's work is related to previous work on iteration theory [Bloom and Esik 
1991; Manes and Arbib 1986] and dynamic logic [Pratt 1976]. It should be stressed 
that all these focus on the semantics of Hoare logic over flowcharts and while pro- 
grams, where the intrinsic monoidal structure is disjoint union. As we have shown 
in Section 5, our approach is more general including systems with an underlying 
cartesian structure as well. 

Abramsky et al. [1996] have also studied the categorical structure of Hoare logic, 
using the notion of specification structures. It is easy to see that a TMC S together 
with a verification functor H : S —^ Ti. gives rise to a specification structure: H 
maps objects X E So to sets H(X), and H{f){P) C Q defines a ternary relation 
H{X) X S{X,Y) X H{Y). The extra structure of pre-order and trace, however, 
allows us to prove an abstract completeness theorem, which does not seem to be 
the focus of [Abramsky et al. 1996]. 

Blass and Gurevich [2000] considered the underlying logic of Hoare logic. Since 
Cook's celebrated completeness result [Cook 1978], Cook-expressive first-order log- 
ics have been used in proofs of relative completeness for Hoare logic. Blass and 
Gurevich have shown that existential fixed-point logic EFL is sufficient for proving 
Cook's completeness result, without the need for Cook's expressiveness condition. 
EFL contains the necessary constructions to ensure that the functor Hfdf) of 
Section 4.3 can be inductively built, rather than assumed to exist. The fixed-point 
construction is used in order to produce the fixed point Q of Lemma 4.1. 

For a given semantic mapping |-] : £ ^ 5, verification functor H : S ^ 7i and 
program A : X ^ Y in C, the binary monotone relation {•} A {•}, i.e. 

(■) HJIA]) (.) : HiX)xHiY) 

can be viewed as an order-preserving function H{X)°^ x HiY) -^ B, where H{X)°p 
denotes the pre-order H{X) with the opposite ordering, and the usual ordering for 
the product and the booleans B is assumed. If we generalise pre-orders to categories, 
and the booleans B to an arbitrary category, the binary relation {•} A {•} becomes 
a profunctor (cf. [Cattani and Winskel 2004]). Such profunctors also arise from 
a generalisation of relation, so-called span, used by Winskel [2005] to represent 
processes. A span is a diagram of the form A ^ U ^> B, where A, B and U 
are event structures (partial orders endowed with a binary "consistency" relation) . 
Such a diagram is equivalent to a morphism U ^f A x B as used in our definition 
of the category of C-relations. These observations suggest several possible links 
between our methods and Winskel's approach to non-determinism and concurrency. 
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